Open simonbyrne opened 5 years ago
Given the frequency in which I've seen CI on a checked-in manifest break during Pkg.test
like this when a package is yanked, I think we might want to instead of error in the resolver put Pkg into a mode where it is allowed to resolve yanked versions but with a very loud warning.
If yanking was only done for security reasons then I think erroring like above is reasonable, but arguably Pkg.instantiate
should also error, which it doesn't.
However from what I've seen yanking is most commonly used for tricky compat issues (that I believe there is usually a way around, but that's another discussion).
So above might look like
% julia --project=@. -e 'using Pkg; Pkg.test()'
Testing Foo
Resolving package versions...
-------
WARNING
The package manifest has a dependency that has been yanked.
Pkg.test will use this version and respect the manifest, but it is recommended to investigate the yanking and fix the dependency version in manifest {manifest_path}
Yanked: Bar v1.2.3
-----
{The rest of Pkg.status output etc.}
Hmmmm, we'd only want to do this in a situation where the user checked their manifest into source control, right? Which is not most cases.
Should we instead have an allow_yanked_packages
kwarg to Pkg.test
, defaulting to false
? Then, on repos where the user checks the manifest into source control, the user could also just specify allow_yanked_packages=true
?
That sounds good.
I do think we should also add a warning in that case if a yanked package is installed.
And the same warning for instantiate, which already installs yanked packages.
I would be fine with an allow_yanks_packages
kwarg for Pkg.test
(which defaults to false
), though I think users should avoid that as much as possible. Yanks can be security issues and I would not want that running in my CI. I also think Pkg.instantiate
should be made consistent and not install yanked packages (it could also get this kwarg).
Indeed this frustration with yanks comes from too many yanks, and I would support working on those root causes rather than just ignoring yanks and losing that utility. As far as I understand, those root causes are all outside this repository (downgrade CI, yank culture, etc.) and should be tackled separately.
If a yanked version is used in the Manifest.toml, then Pkg.test will fail when it attempts to resolve test dependencies:
(from https://dev.azure.com/spjbyrne/CLIMA/_build/results?buildId=150)
If yanking is to be used sparingly, I would be okay with failure here (though would prefer a more informative error message).